OpenLDAP+SSL+SSSD 實(shí)現(xiàn)Linux登錄集中認(rèn)證

第一部分

OpenLDAP之sldap數(shù)據(jù)庫(kù)安裝

1、yum安裝

yum?install?-y?openldap?openldap-servers?openssh-ldap?openldap-clients?migrationtools

2、配置ssl域名證書，實(shí)現(xiàn)ldap的TLS加密通信

• 通過域名?master.ldap.conf.top（主LDAP）和?slave.ldap.conf.top（從LDAP）域名訪問LDAP數(shù)據(jù)庫(kù)

a) 創(chuàng)建文件?/etc/pki/CA/openssl.cnf?內(nèi)容如下

HOME????????????=?. RANDFILE????????=?$ENV::HOME/.rnd oid_section?????=?new_oids [?new_oids?] tsa_policy1?=?1.2.3.4.1 tsa_policy2?=?1.2.3.4.5.6 tsa_policy3?=?1.2.3.4.5.7 [?ca?] default_ca??=?CA_default????????#?The?default?ca?section [?CA_default?] dir?????=?/etc/pki/CA???????#?Where?everything?is?kept certs???????=?$dir/certs????????#?Where?the?issued?certs?are?kept crl_dir?????=?$dir/crl??????#?Where?the?issued?crl?are?kept database????=?$dir/index.txt????#?database?index?file.#?several?ctificates?with?same?subject. new_certs_dir???=?$dir/newcerts?????#?default?place?for?new?certs. certificate?=?$dir/certs/ca.crt?????#?The?CA?certificate serial??????=?$dir/serial???????#?The?current?serial?number crlnumber???=?$dir/crlnumber????#?the?current?crl?number#?must?be?commented?out?to?leave?a?V1?CRL crl?????=?$dir/crl/crl.pem??????#?The?current?CRL private_key?=?$dir/private/ca.key???#?The?private?key RANDFILE????=?$dir/private/.rand????#?private?random?number?file x509_extensions?=?usr_cert??????#?The?extentions?to?add?to?the?cert name_opt????=?ca_default????????#?Subject?Name?options cert_opt????=?ca_default????????#?Certificate?field?options default_days????=?3650??????????#?how?long?to?certify?for default_crl_days=?30????????????#?how?long?before?next?CRL default_md??=?sha256????????#?use?public?key?default?MD preserve????=?no????????????#?keep?passed?DN?ordering policy??????=?policy_dn [?policy_match?] countryName?????=?match stateOrProvinceName?=?match organizationName????=?match organizationalUnitName??=?optional commonName??????=?supplied emailAddress????????=?optional [?policy_anything?] countryName?????=?optional stateOrProvinceName?=?optional localityName????????=?optional organizationName????=?optional organizationalUnitName??=?optional commonName??????=?supplied emailAddress????????=?optional [?policy_dn?] countryName?????????????=?supplied??????????????#?required?parameter,?any?value?allowed stateOrProvinceName?????=?optional localityName????????????=?optional organizationName????????=?match?????????????????#?required,?and?must?match?root?certificate organizationalUnitName??=?optional commonName??????????????=?supplied??????????????#?required?parameter,?any?value?allowed emailAddress????????????=?optional??????????????#?email?in?DN?is?deprecated,?use?subjectAltName [?req?] default_bits????????=?2048 default_md??????=?sha256 encrypt_key?????????????=?no prompt??????????????????=?yes default_keyfile?????=?client.key distinguished_name??=?req_distinguished_name x509_extensions?=?v3_ca?#?The?extentions?to?add?to?the?self?signed?cert string_mask?=?utf8only [?req_distinguished_name?] countryName?????????=?Country?Name?(2?letter?code) countryName_default?????=?CN countryName_min?????????=?2 countryName_max?????????=?2 stateOrProvinceName?????=?State?or?Province?Name?(full?name) stateOrProvinceName_default?=?Beijing localityName????????????=?Locality?Name?(eg,?city) localityName_default????????=?Beijing 0.organizationName??????=?Organization?Name?(eg,?company) 0.organizationName_default??=?Beijing?Century?Fortunet?Network?Technology?Co.,Ltd. organizationalUnitName??????=?Organizational?Unit?Name?(eg,?section) organizationalUnitName_default??=?IT?Operation?Management commonName??????????=?Common?Name?(eg,?your?name?or?your?server\'s?hostname) commonName_max??????????=?64 emailAddress????????????=?Email?Address emailAddress_max????????=?64 emailAddress_default????????=?admin@conf.top [?req_attributes?] challengePassword???????=?A?challenge?password challengePassword_min???????=?4 challengePassword_max???????=?20 unstructuredName????????=?An?optional?company?name [?usr_cert?] basicConstraints????=?CA:FALSE nsComment???????=?"CONFCA?Generated?Certificate" subjectKeyIdentifier????=?hash authorityKeyIdentifier??=?keyid,issuer [?v3_req?] basicConstraints????=?CA:FALSE keyUsage????????=?digitalSignature,?keyEncipherment extendedKeyUsage????????=?serverAuth,?clientAuth subjectKeyIdentifier????=?hash subjectAltName??????=?@alt_names [?v3_ca?] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer keyUsage????????=?digitalSignature,?nonRepudiation,?keyEncipherment,?dataEncipherment,?keyAgreement,?keyCertSign,?cRLSign extendedKeyUsage????????=?serverAuth,?clientAuth,?codeSigning,?timeStamping,?emailProtection,?msEFS,?1.3.6.1.4.1.311.10.3.11,?1.3.6.1.4.1.311.20.2.2 basicConstraints?=?CA:true [?X509_ca?] basicConstraints????????=?CA:TRUE nsCertType??????????????=?sslCA?????????????????#?restrict?the?usage keyUsage????????????????=?keyCertSign,?cRLSign??#?restrict?the?usage subjectKeyIdentifier????=?hash authorityKeyIdentifier??=?keyid:always,issuer:always [?X509_server?] basicConstraints????????=?CA:FALSE nsCertType??????????????=?server????????????????#?restrict?the?usage keyUsage????????????????=?digitalSignature,?keyEncipherment extendedKeyUsage????????=?serverAuth????????????#?restrict?the?usage subjectKeyIdentifier????=?hash authorityKeyIdentifier??=?keyid,issuer [?X509_client?] basicConstraints????????=?CA:FALSE nsCertType??????????????=?client????????????????#?restrict?the?usage keyUsage????????????????=?digitalSignature??????#?restrict?the?usage extendedKeyUsage????????=?clientAuth????????????#?restrict?the?usage subjectKeyIdentifier????=?hash authorityKeyIdentifier??=?keyid,issuer [?crl_ext?] authorityKeyIdentifier=keyid:always [?proxy_cert_ext?] basicConstraints=CA:FALSE nsComment???????????=?"CONFCA?Generated?Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo [?tsa?] default_tsa?=?tsa_config1???#?the?default?TSA?section [?tsa_config1?] dir?????=?./demoCA??????#?TSA?root?directory serial??????=?$dir/tsaserial????#?The?current?serial?number?(mandatory) crypto_device???=?builtin???????#?OpenSSL?engine?to?use?for?signing signer_cert?=?$dir/tsacert.pem??#?The?TSA?signing?certificate#?(optional) certs???????=?$dir/cacert.pem???#?Certificate?chain?to?include?in?reply#?(optional) signer_key??=?$dir/private/tsakey.pem?#?The?TSA?private?key?(optional) default_policy??=?tsa_policy1???????#?Policy?if?request?did?not?specify?it#?(optional) other_policies??=?tsa_policy2,?tsa_policy3??#?acceptable?policies?(optional) digests?????=?md5,?sha1?????#?Acceptable?message?digests?(mandatory) accuracy????=?secs:1,?millisecs:500,?microsecs:100??#?(optional) clock_precision_digits??=?0?#?number?of?digits?after?dot.?(optional) ordering????????=?yes???#?Is?ordering?defined?for?timestamps?#?(optional,?default:?no) tsa_name????????=?yes???#?Must?the?TSA?name?be?included?in?the?reply?#?(optional,?default:?no) ess_cert_id_chain???=?no????#?Must?the?ESS?cert?id?chain?be?included?#?(optional,?default:?no) [?alt_names?] DNS.1?=?conf.top DNS.2?=?*.conf.top DNS.3?=?***.conf.top DNS.4?=?*.***.conf.top DNS.5?=?ldap.conf.top DNS.6?=?*.ldap.conf.top

b) 創(chuàng)建CA證書

#?創(chuàng)建工作目錄 cd?/etc/pki/CA/?&&?umask?0077?&&?mkdir?-p?/etc/pki/CA/{private,certs,crl,csr,newcerts,private}?&&?touch?index.txt?&&?echo?'00'>serial #?創(chuàng)建CA證書的私鑰 openssl?genrsa?-out?private/ca.key?2048 #?創(chuàng)建CA證書的公鑰，其他配置可以默認(rèn)，出現(xiàn)?Common?Name?(eg,?your?name?or?your?server's?hostname)?[]: #?的時(shí)候一定不能默認(rèn)了，CA證書這里就輸入CONFCA openssl?req?-days?177121?-new?-sha256?-x509?-key?private/ca.key?-out?certs/ca.crt?-config?openssl.cnf

c) 創(chuàng)建域名證書

##?創(chuàng)建key openssl?genrsa?-out?private/conf.top.key?2048?? ##?生成csr文件,同樣遇到輸入?Common?Name??的時(shí)候不能默認(rèn)，這里輸入conf.top openssl?req?-new?-sha256?-key?private/conf.top.key?-out?csr/conf.top.csr?-extensions?v3_req?-config?openssl.cnf ##?簽名證書 openssl?ca?-days?30659?-in?csr/conf.top.csr?-out?certs/conf.top.crt?-extensions?v3_req?-config?openssl.cnf

d) 將生成好的CA證書和服務(wù)器端域名證書拷貝到openldap目錄

cp?/etc/pki/CA/certs/ca.crt?/etc/openldap/certs/ca.crt??????????????????#?CA證書 cp?/etc/pki/CA/certs/conf.top.crt?/etc/openldap/certs/conf.top.crt??????#?服務(wù)器證書 cp?/etc/pki/CA/private/conf.top.key?/etc/openldap/certs/conf.top.key????#?服務(wù)器私鑰 #?設(shè)置目錄安全 chown?-R?root:ldap?/etc/openldap/certs chmod?-R?750?/etc/openldap/certs

3、 配置OpenLDAP schema模板

a) 拷貝ssh的schema模板(路徑可能不同，根據(jù)openssh-ldap和sudo版本號(hào)找對(duì)應(yīng)路徑)

cp?/usr/share/doc/openssh-ldap-5.3p1/openssh-lpk-openldap.schema?/etc/openldap/schema/openssh-lpk-openldap.schema

b) 拷貝sudo的schema模板

cp?/usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP?/etc/openldap/schema/sudo.schema

c) 自定義權(quán)限控制模板

• 創(chuàng)建schema模板文件

touch?/etc/openldap/schema/my.schema

• my.schema自定義模板（objectclass=MyAccount）說明：

active:?賬號(hào)狀態(tài)?0-禁用??1-啟用?（必須） access：訪問權(quán)限控制?（必須）?可以有多個(gè)值，添加用戶的時(shí)候必須添加此字段值為ssh?此字段設(shè)計(jì)為增加多個(gè)值例如web?、***，使用ldap客戶端時(shí)用search_filter進(jìn)行權(quán)限控制 gauthcode:?谷歌Token?（可選）?用于配合google-authenticator（Google?Authenticator?PAM?module）谷歌Token驗(yàn)證模塊使用 另外增加一些常用字段： sn?（姓）?givenName?（名）?displayName?（姓名）?mobile?（手機(jī)號(hào)）?mail?（郵件）?photo?（照片）

• /etc/openldap/schema/my.schema?文件內(nèi)容

attributetype?(?1.3.6.1.4.1.30000.500.1.1.1?NAME?'active'?DESC?'MANDATORY:?Account?active?stauts?0-disable?1-enable'?EQUALITY?integerMatchSYNTAX?1.3.6.1.4.1.1466.115.121.1.27?SINGLE-VALUE?) attributetype?(?1.3.6.1.4.1.30000.500.1.1.2?NAME?'access'?DESC?'MANDATORY:?Access?Control'?EQUALITY?caseExactIA5MatchSYNTAX?1.3.6.1.4.1.1466.115.121.1.26?) attributetype?(?1.3.6.1.4.1.30000.500.1.1.3?NAME?'gauthcode'DESC?'MANDATORY:?Google?authenticator'EQUALITY?caseExactIA5MatchSYNTAX?1.3.6.1.4.1.1466.115.121.1.26?SINGLE-VALUE?) objectclass?(?1.3.6.1.4.1.30000.500.1.2.0?NAME?'MyAccount'?SUP?top?AUXILIARYDESC?'MANDATORY:?conf?user?account'MUST?(?active?)MAY?(?access?$?gauthcode?$?sn?$?givenName?$?displayName?$?mobile?$?mail?$?photo))

4、創(chuàng)建slapd配置文件

• 使用slappasswd命令，輸入密碼后生成管理員密碼串，將密碼替換到下一步中的rootpw

slappasswd

• 創(chuàng)建配置文件/etc/openldap/slapd.conf,內(nèi)容如下：

include?????/etc/openldap/schema/corba.schema include?????/etc/openldap/schema/core.schema include?????/etc/openldap/schema/cosine.schema include?????/etc/openldap/schema/duaconf.schema include?????/etc/openldap/schema/dyngroup.schema include?????/etc/openldap/schema/inetorgperson.schema include?????/etc/openldap/schema/java.schema include?????/etc/openldap/schema/misc.schema include?????/etc/openldap/schema/nis.schema include?????/etc/openldap/schema/openldap.schema include?????/etc/openldap/schema/ppolicy.schema include?????/etc/openldap/schema/collective.schema include?????/etc/openldap/schema/sudo.schema include?????/etc/openldap/schema/openssh-lpk-openldap.schema include?????/etc/openldap/schema/my.schema allow?bind_v2 disallow?bind_anon require?authc pidfile????/var/run/openldap/slapd.pid argsfile???/var/run/openldap/slapd.args #?主從同步模塊 #moduleload?syncprov.la #?證書路徑 TLSCACertificatePath?/etc/openldap/certs/ca.crt TLSCertificateFile?/etc/openldap/certs/conf.top.crt TLSCertificateKeyFile?/etc/openldap/certs/conf.top.key TLSCiphersuite?TLSv1.2+RSA:!EXPORT:!NULL TLSVerifyClient?never #?ACL權(quán)限控制 database?config access?to?*by?dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"?manageby?dn.exact="uid=ldap_sync,ou=ldap,dc=conf,dc=top"?readby?*?none database?monitor access?to?*by?dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"?readby?dn.exact="cn=root,dc=conf,dc=top"?manageby?dn.exact="uid=ldap_admin,ou=ldap,dc=conf,dc=top"?manageby?dn.exact="uid=ldap_sync,ou=ldap,dc=conf,dc=top"?readby?*?none database????bdb access?to?attrs=gauthcodeby?anonymous?authby?dn.exact="uid=ldap_write,ou=ldap,dc=conf,dc=top"?writeby?dn.exact="uid=ldap_admin,ou=ldap,dc=conf,dc=top"?manageby?dn.exact="uid=ldap_sync,ou=ldap,dc=conf,dc=top"?readby?*?none access?to?attrs=userPasswordby?anonymous?authby?dn.exact="uid=ldap_read,ou=ldap,dc=conf,dc=top"?noneby?dn.exact="uid=ldap_write,ou=ldap,dc=conf,dc=top"?writeby?dn.exact="uid=ldap_admin,ou=ldap,dc=conf,dc=top"?manageby?dn.exact="uid=ldap_sync,ou=ldap,dc=conf,dc=top"?readby?self?writeby?*?none access?to?attrs=shadowLastChangeby?anonymous?authby?self?writeby?dn.exact="uid=ldap_read,ou=ldap,dc=conf,dc=top"?readby?dn.exact="uid=ldap_write,ou=ldap,dc=conf,dc=top"?writeby?dn.exact="uid=ldap_admin,ou=ldap,dc=conf,dc=top"?manageby?dn.exact="uid=ldap_sync,ou=ldap,dc=conf,dc=top"?readby?*?none access?to?*by?anonymous?authby?dn.exact="uid=ldap_read,ou=ldap,dc=conf,dc=top"?readby?dn.exact="uid=ldap_write,ou=ldap,dc=conf,dc=top"?writeby?dn.exact="uid=ldap_admin,ou=ldap,dc=conf,dc=top"?manageby?dn.exact="uid=ldap_sync,ou=ldap,dc=conf,dc=top"?readby?*?none #?其他配置 suffix??????"dc=conf,dc=top" checkpoint??1024?15 rootdn??????"cn=root,dc=conf,dc=top" rootpw??????<用slappasswd命令生成的密碼> #?當(dāng)做從庫(kù)的時(shí)候，需要配置為readonly屬性 #readonly????on directory???/var/lib/ldap lastmod?????on index?objectClass??????????????????????????eq,pres index?ou,cn,mail,sn,givenName??????????????eq,pres,sub index?uidNumber,gidNumber,loginShell???????eq,pres index?uid,memberUid,mobile?????????????????eq,pres,sub index?nisMapName,nisMapEntry???????????????eq,pres,sub index?sudoUser?????????????????????????????eq index?displayName???????????????pres,sub,eq index?default???????????????????sub index?entryCSN,entryUUID????????eq?? #?配置同步 #overlay?syncprov #syncprov-checkpoint?100?10?? #syncprov-sessionlog?100 #serverID??????21???????#服務(wù)器標(biāo)識(shí),主從配置不相同 #syncrepl??????rid=101??#主從配置相同 #??????????????provider=ldaps://master.ldap.conf.top #??????????????binddn="uid=ldap_sync,ou=ldap,dc=conf,dc=top" #??????????????bindmethod=simple #??????????????starttls=yes #??????????????tls_cacert=/etc/openldap/certs/ca.crt #??????????????tls_reqcert=never #??????????????credentials="<ldap_sync用戶的密碼>" #??????????????searchbase="dc=conf,dc=top" #??????????????schemachecking=off #??????????????type=refreshAndPersist? #??????????????retry="60?+" #mirrormode?on #?日志級(jí)別?0：關(guān)閉日志 loglevel?0

• 修改sldap默認(rèn)啟動(dòng)配置文件?/etc/sysconfig/ldap?，關(guān)閉ldap://只啟用ldaps://

SLAPD_LDAP=yes SLAPD_LDAPI=yes SLAPD_LDAPS=no

• 拷貝DB_CONFIG配置文件

cp?/usr/share/openldap-servers/DB_CONFIG.example?/var/lib/ldap/DB_CONFIG chmod?600?/var/lib/ldap/DB_CONFIG chown?-R?ldap:ldap?/var/lib/ldap chmod?700?/var/lib/ldap

• 初始化sldap系統(tǒng)配置的腳本?/etc/openldap/init.sh（更改sladp.conf配置后執(zhí)行該腳本）

#!/bin/bash /etc/init.d/slapd?stop rm?-rf?/etc/openldap/slapd.d/* slaptest?-f?/etc/openldap/slapd.conf?-F?/etc/openldap/slapd.d?||?exit?1 chmod?700?/etc/openldap/slapd.d chown?-R?ldap:ldap?/etc/openldap/slapd.d chown?root:ldap?/etc/openldap/slapd.conf chmod?750?/etc/openldap/slapd.conf /etc/init.d/slapd?start

• 先啟動(dòng)sldap服務(wù)，然后執(zhí)行init.sh

/etc/init.d/sldap?start sh?/etc/openldap/init.sh

5、創(chuàng)建用戶和組并導(dǎo)入到ldap數(shù)據(jù)庫(kù)

• a) 規(guī)劃和用戶ID 和組ID，比如組ID：20000-29999，用戶id: 30000+
  計(jì)劃創(chuàng)建3個(gè)組：運(yùn)維confops、開發(fā)confdev、測(cè)試confqa，創(chuàng)建用戶admin屬于運(yùn)維組。

• b) 然后創(chuàng)建用戶列表 user.txt，格式和Linux系統(tǒng)/etc/passwd相同， 如下

admin:x:30001:20001::/home/admin:/bin/bash

• c) 創(chuàng)建組列表文件 group.txt，格式和/etc/group相同，如下

confops:x:20001:admin confdev:x:20002: confqa:x:20003:

• d) 創(chuàng)建密碼文本shadow.txt, 格式和/etc/shadow相同

admin:$6$2Zdjcxvz$p/dHCZQUTn9dmSZdv2abCyd/oPRhskr3z4MNCCAYOn1LLYS3Q6DXw.VVXFt3CWger2SLwYWYS/a64yHNOuS3I/:16968:0:99999:7:::

使用migrationtools工具將導(dǎo)出的用戶組密碼等文本轉(zhuǎn)為ldap能讀取的ldif文件

• e) 導(dǎo)入環(huán)境變量

export?LDAP_BASEDN="dc=conf,dc=top" export?LDAP_DEFAULT_MAIL_DOMAIN="conf.top"

• f) 生成ldif數(shù)據(jù)庫(kù)文件

/usr/share/migrationtools/migrate_base.pl?>?base.ldif /usr/share/migrationtools/migrate_passwd.pl?user.txt?>?user.ldif /usr/share/migrationtools/migrate_group.pl?group.txt?>?group.ldif /usr/share/migrationtools/migrate_passwd.pl?shadow.txt?>?shadow.ldif

• g) 本地/etc/hosts文件添加域名解析，如果sldap服務(wù)部署在其他服務(wù)器，這里該為對(duì)應(yīng)服務(wù)器IP

127.0.0.1?master.ldap.conf.top

• h) 使用ldapadd工具將ldif文件導(dǎo)入到數(shù)據(jù)庫(kù),輸入sldap的rootdn管理員密碼

ldapadd?-H?"ldaps://master.ldap.conf.top"?-D?"cn=root,dc=conf,dc=top"?-W?-x?-f?base.ldif ldapadd?-H?"ldaps://master.ldap.conf.top"?-D?"cn=root,dc=conf,dc=top"?-W?-x?-f?user.ldif ldapadd?-H?"ldaps://master.ldap.conf.top"?-D?"cn=root,dc=conf,dc=top"?-W?-x?-f?group.ldif #ldapadd?-H?"ldaps://master.ldap.conf.top"?-D?"cn=root,dc=conf,dc=top"?-W?-x?-f?shadow.ldif?#可忽略 #?驗(yàn)證導(dǎo)入的數(shù)據(jù)，可以查詢到從passwd導(dǎo)出的用戶 ldapsearch?-H?"ldaps://master.ldap.conf.top"?-D?"cn=root,dc=conf,dc=top"?-W?-x?-b?-L?-W?-b?"ou=People,dc=conf,dc=top"

6、創(chuàng)建LDAP系統(tǒng)賬號(hào)ldap_admin,?ldap_read,?ldap_sync,?ldap_write

• 使用slappasswd命令生成4個(gè)ldap賬號(hào)的密碼并替換以下內(nèi)容中userPassword字段，然后創(chuàng)建文件ldap.ldif,內(nèi)容如下：

dn:?ou=ldap,dc=conf,dc=top objectClass:?top objectClass:?organizationalUnit ou:?ldap description::?TERBUOezu+e7n+i0puWPtw==dn:?uid=ldap_read,ou=ldap,dc=conf,dc=top objectClass:?posixAccount objectClass:?top objectClass:?inetOrgPerson sn:?ldap_read displayName:?ldap_read uid:?ldap_read homeDirectory:?/home/ldap_read loginShell:?/sbin/nologin cn:?ldap_read uidNumber:?58 gidNumber:?55 userPassword:?{SSHA}fr03Kp4NIYfNXQDrO4a+J0yYRVZmZ3M2UGVoQ2lJMzk=dn:?uid=ldap_write,ou=ldap,dc=conf,dc=top objectClass:?posixAccount objectClass:?top objectClass:?inetOrgPerson sn:?ldap_write displayName:?ldap_write uid:?ldap_write homeDirectory:?/home/ldap_write loginShell:?/sbin/nologin cn:?ldap_write uidNumber:?57 gidNumber:?55 userPassword:?{SSHA}TahVHL4g/451wuljaM/bRbPQnz9Ba2YxVmNCZi9vNEo=dn:?uid=ldap_admin,ou=ldap,dc=conf,dc=top objectClass:?posixAccount objectClass:?top objectClass:?inetOrgPerson sn:?ldap_admin displayName:?ldap_admin uid:?ldap_admin homeDirectory:?/home/ldap_admin loginShell:?/sbin/nologin cn:?ldap_admin uidNumber:?56 gidNumber:?55 userPassword:?{SSHA}IgT0ZyVL4YyEr4LPsti59tCB0wVMT25tdWpDemhidjQ=dn:?uid=ldap_sync,ou=ldap,dc=conf,dc=top objectClass:?posixAccount objectClass:?top objectClass:?inetOrgPerson givenName:?ldap_sync sn:?ldap_sync displayName:?ldap_sync uid:?ldap_sync homeDirectory:?/home/ldap_sync loginShell:?/sbin/nologin cn:?ldap_sync uidNumber:?59 gidNumber:?55 userPassword:?{SSHA}reRN6H+hsiVdIRSFCfg9E6wwP9lQdkUzc1pCeUJROC8=

• 導(dǎo)入ldap.ldif賬號(hào)

ldapadd?-D?"cn=root,dc=conf,dc=top"?-W?-x?-f?ldap.ldif

7、創(chuàng)建Sudo模板，手動(dòng)替換以下內(nèi)容中的域名，保存為sudo.ldif

• 模板中confops組和admin用戶可以免密碼sudo

• confdev和confqa組只允許sudo某些命令

• zabbix用戶可以刪除或者按照此模板給任意用戶特定的sudo權(quán)限

dn:?ou=SUDOers,dc=conf,dc=top objectClass:?top objectClass:?organizationalUnit description:?SUDO?Configuration?Subtree ou:?SUDOersdn:?cn=defaults,ou=SUDOers,dc=conf,dc=top objectClass:?top objectClass:?sudoRole cn:?defaults description:?Default?sudoOption's?go?here sudoOption:?visiblepw sudoOption:?always_set_home sudoOption:?env_resetdn:?cn=root,ou=SUDOers,dc=conf,dc=top objectClass:?top objectClass:?sudoRole cn:?root sudoUser:?root sudoHost:?ALL sudoRunAsUser:?ALL sudoCommand:?ALL sudoOption:?!visiblepw sudoOption:?always_set_home sudoOption:?env_resetdn:?cn=%wheel,ou=SUDOers,dc=conf,dc=top objectClass:?top objectClass:?sudoRole cn:?%wheel sudoUser:?%wheel sudoHost:?ALL sudoRunAsUser:?ALL sudoCommand:?ALL sudoOption:?!authenticate sudoOption:?!visiblepw sudoOption:?always_set_home sudoOption:?env_reset sudoOption:?requirettydn:?cn=%confops,ou=SUDOers,dc=conf,dc=top objectClass:?top objectClass:?sudoRole cn:?%confops sudoUser:?%confops sudoHost:?ALL sudoRunAsUser:?ALL sudoOption:?!authenticate sudoOption:?!visiblepw sudoOption:?always_set_home sudoOption:?env_reset sudoCommand:?ALL sudoCommand:?!/bin/passwddn:?cn=%confdev,ou=SUDOers,dc=conf,dc=top objectClass:?top objectClass:?sudoRole cn:?%confdev sudoUser:?%confdev sudoHost:?ALL sudoRunAsUser:?ALL sudoOption:?!authenticate sudoOption:?!visiblepw sudoOption:?always_set_home sudoOption:?env_reset sudoCommand:?/sbin/service sudoCommand:?!/bin/passwd sudoCommand:?/etc/init.d/tomcat sudoCommand:?/bin/kill sudoCommand:?/usr/bin/pkill sudoCommand:?/usr/bin/killall sudoCommand:?/etc/init.d/confservice sudoCommand:?/bin/su?-?app?-s?/bin/bash sudoCommand:?/bin/su?-?tomcat?-s?/bin/bashdn:?cn=%confqa,ou=SUDOers,dc=conf,dc=top objectClass:?top objectClass:?sudoRole cn:?%confqa sudoUser:?%confqa sudoHost:?ALL sudoRunAsUser:?ALL sudoOption:?!authenticate sudoOption:?!visiblepw sudoOption:?always_set_home sudoOption:?env_reset sudoCommand:?/sbin/service sudoCommand:?!/bin/passwd sudoCommand:?/etc/init.d/confservice sudoCommand:?/bin/kill sudoCommand:?/usr/bin/pkill sudoCommand:?/usr/bin/killall sudoCommand:?/bin/su?-?app?-s?/bin/bash sudoCommand:?/bin/su?-?tomcat?-s?/bin/bash sudoCommand:?/etc/init.d/tomcatdn:?cn=zabbix,ou=SUDOers,dc=conf,dc=top objectClass:?top objectClass:?sudoRole cn:?zabbix sudoHost:?ALL sudoUser:?zabbix sudoOption:?!authenticate sudoOption:?!visiblepw sudoOption:?always_set_home sudoOption:?env_reset sudoRunAsUser:?root sudoCommand:?!/bin/passwd sudoCommand:?/etc/init.d/tomcat sudoCommand:?/etc/init.d/confservice sudoCommand:?/usr/bin/nmap sudoCommand:?/usr/local/zabbix-ztc/bin/sudo-*dn:?cn=admin,ou=SUDOers,dc=conf,dc=top objectClass:?top objectClass:?sudoRole cn:?admin sudoHost:?ALL sudoRunAsUser:?ALL sudoOption:?!authenticate sudoOption:?!visiblepw sudoOption:?always_set_home sudoOption:?env_reset sudoCommand:?ALL sudoCommand:?!/bin/passwd sudoUser:?admin

• 導(dǎo)入用戶和組后，默認(rèn)應(yīng)該是沒有我們自定義的my.schema模板(objectclass=MyAccount)

• 需要通過LDAP 客戶端（推薦用Windows下的LDAP Admin軟件），連接ldap數(shù)據(jù)庫(kù)后，將用戶增加：

• objectClass: MyAccount?和?objectClass: ldapPublicKey

• 需要填入sshPublicKey?(用戶ssh公鑰)、?active?(1啟用，0禁用) 、?access?(值為ssh, 授權(quán)用戶ssh登錄)

---

第二部分

OpenLDAP客戶端sssd安裝配置

1、yum安裝sssd-ldap客戶端

yum?install?authconfig?sssd-ldap?-y

2、使用authconfig配置啟用sssd

authconfig?\ --passalgo=sha512?\ --enablesssd?\ --enablesssdauth?\ --enablelocauthorize?\ --ldapserver=ldaps://master.ldap.conf.top?\ --disableldaptls?\ --ldapbasedn="dc=conf,dc=top"?\ --enablerfc2307bis?\ --enablemkhomedir?\ --enablecachecreds?\ --enableldaptls?\ --enablemkhomedir?\ --disableldap?\ --disableldapauth?\ --disablefingerprint?\ --disablesmartcard?\ --disablekrb5?\ --update

3、配置sssd.conf

• 將第一部分創(chuàng)建的CA證書?/etc/pki/CA/certs/ca.crt?拷貝到?/etc/openldap/certs/ca.crt

• 說明：
  enumerate=False?禁止getent命令遍歷ldap中的用戶和組,改為True可以執(zhí)行g(shù)etent passwd或getent group命令列出ldap中的用戶或組
  ldap_user_search_filter?登錄權(quán)限控制，active必須為1時(shí)才能登錄
  ldap_access_filter?訪問權(quán)限控制，此處每臺(tái)服務(wù)器（客戶端）上的配置IP要替換為本機(jī)IP
  例如： (|(host=*)(host=192.168.61.11)) 意思是當(dāng)用戶的host字段包含*或者h(yuǎn)ost包含該服務(wù)器的IP時(shí)才能登錄
  ldap_backup_uri?LDAP的備份服務(wù)器
  ldap_default_authtok?是ldap_read的用戶密碼（明文）

• 創(chuàng)建或替換?/etc/sssd/sssd.conf?內(nèi)容如下：

[domain/LDAP] enumerate=False entry_cache_timeout?=?3600 refresh_expired_interval?=?1800 cache_credentials?=?TRUE account_cache_expiration?=?1 pwd_expiration_warning?=?0id_provider?=?ldap auth_provider?=?ldap sudo_provider?=?ldap access_provider?=?ldap chpass_provider?=?ldap selinux_provider?=?none subdomains_provider?=?none autofs_provider?=?none hostid_provider?=?nonelookup_family_order?=?ipv4_only ldap_uri?=?ldaps://master.ldap.conf.top ldap_backup_uri?=?ldaps://slave.ldap.conf.top ldap_chpass_uri?=?ldaps://master.ldap.conf.top ldap_default_bind_dn?=?uid=ldap_read,ou=ldap,dc=conf,dc=top ldap_default_authtok?=?rm3cZklvmufI760O ldap_search_base?=?dc=conf,dc=top ldap_user_search_base?=?ou=People,dc=conf,dc=top ldap_group_search_base?=?ou=Group,dc=conf,dc=top ldap_sudo_search_base?=?ou=SUDOers,dc=conf,dc=top ldap_user_search_filter?=?(active=1)(access=ssh)ldap_access_order?=?filter ldap_access_filter?=?(|(host=\*)(host=192.168.61.11)) ldap_pwd_policy?=?shadow ldap_user_ssh_public_key?=?sshPublicKey ldap_account_expire_policy?=?shadow ldap_chpass_update_last_change?=?Trueldap_id_use_start_tls?=?True ldap_tls_reqcert?=?hard ldap_tls_cacertdir?=?/etc/openldap/certs ldap_tls_cacert?=?/etc/openldap/certs/ca.crt ldap_tls_cipher_suite?=?TLSv1.2+RSA:!EXPORT:!NULL cache_credentials?=?True[sssd] domains?=?LDAP? services?=?nss,?pam,?ssh,?sudo config_file_version?=?2[pam] domains?=?LDAP? offline_credentials_expiration?=?1 offline_failed_login_attempts?=?3 pam_account_expired_message?=?Account?expired,?please?call?help?desk.[ssh] domains?=?LDAP? ssh_hash_known_hosts?=?false[sudo] domains?=?LDAP?[nss] domains?=?LDAP fd_limit?=?65535 filter_groups?=?root,bin,daemon,sys,adm,tty,disk,lp,mem,kmem,wheel,mail,uucp,man,games,gopher,video,dip,ftp,lock,audio,nobody,users,dbus,utmp,utempter,floppy,vcsa,stapusr,stapsys,stapdev,abrt,cdrom,tape,dialout,haldaemon,ntp,cgred,saslauth,postdrop,postfix,sshd,oprofile,tcpdump,screen,slocate,www,tomcat,apache,nginx,zabbix,rpc,rpcuser,nfsnobody? filter_users?=?root,bin,daemon,adm,lp,sync,shutdown,halt,mail,uucp,operator,games,gopher,ftp,nobody,dbus,vcsa,abrt,haldaemon,ntp,saslauth,postfix,sshd,oprofile,tcpdump,www,tomcat,apache,nginx,zabbix,rpc,rpcuser,nfsnobody

• 修改配置文件權(quán)限

chmod?600?/etc/sssd/sssd.conf

• 啟動(dòng)sssd客戶端服務(wù)

chkconfig?sssd?on /etc/init.d/sssd?start

4、修改?/etc/nsswitch.conf

• /etc/nsswitch.conf直接替換為下面內(nèi)容

passwd:?????files?sss shadow:?????files?sss group:??????files?sss hosts:??????files?dns bootparams:?nisplus?[NOTFOUND=return]?files ethers:?????files netmasks:???files networks:???files protocols:??files rpc:????????files services:???files netgroup:???files publickey:??nisplus automount:??files aliases:????files?nisplus sudoers:????files?sss

5、修改 /etc/ssh/sshd_config 加入以下內(nèi)容

PubkeyAuthentication?yes AuthorizedKeysCommand?/usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandRunAs?nobody

6、重啟ssh

/etc/init.d/sshd?restart

7、另外通過LDAP Admin工具管理，給用戶手動(dòng)添加擴(kuò)展屬性

通過LDAP Admin工具連接LDAP服務(wù)器，雙擊某個(gè)用戶例如admin，打開用戶屬性，在賬戶擴(kuò)展屬性里勾選Shadow賬戶
在目錄樹上找到對(duì)應(yīng)用戶uid=admin，右鍵編輯條目，在彈出編輯窗口中，左側(cè)objectclass下拉選擇并添加我們自定義的模板MyAccount和ssh公鑰模塊ldapPublickey，然后在右側(cè)將黑色必填項(xiàng)填寫后保存。備注： active=1（啟用該用戶），access=ssh(授權(quán)ssh登錄), sshPublicKey(填寫用戶公鑰)

參考：?https://sgallagh.fedorapeople.org/sssd/1.7.0/man/sssd-ldap.5.html

轉(zhuǎn)載地址：?http://www.jslink.org/linux/openldap-ssl-sssd.html

ALL Done! 登錄測(cè)試下吧 O(∩_∩)O~

轉(zhuǎn)載于:https://blog.51cto.com/sunshineboy/1826738

總結(jié)

以上是生活随笔為你收集整理的OpenLDAP+SSL+SSSD 实现Linux登录集中认证的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。